Factoring Malware and Organized Crime in to Web Application Security

Size: px

Start display at page:

Download "Factoring Malware and Organized Crime in to Web Application Security"

Jessica Briggs
8 years ago
Views:

1 Factoring Malware and Organized Crime in to Web Application Security Gunter Ollmann - VP of Research gollmann@damballa.com Blog - Blog - 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 1

2 Is malware a threat to Web apps? What malware are criminals using? How to botnets factor in to this? How do you use a botnet in Web app attacks? What should you be doing about this? 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 2

3 Web AppSec vs. Malware This is OWASP who cares about malware? Need to answer why someone breaks a Web application How is tied to ease and probability of success The world we live in Iframe injections avg. 100,000+ defacements per week Larger attacks of up to 1.5m SQL Injection-based defacements Botnets and their agents somewhere between m Storm worm of up to 10m bots I think the estimates are too high probably in the realm of 4m-12m worldwide (once you remove multiple pwn3d hosts) Identity information can be purchased from as little as 5 cents per record 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 3

4 Malware s Changing Face

5 5/14/2009 Targeted Protection Against Targeted Attacks 5

6 Malware & Web App Security Why is malware important to Web application security? 1. It makes secrets impossible 2. You can t trust your users 3. Vehicle for automated attack Not factoring it in to the design will cause a lot of pain later 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 6

large groups of users simultaneously Anonymous & globally proxied attacks Distributed attacks &

7 The Malware Threat What s the malware doing today? Bypassing client-side authentication to apps Spoofing content on the users behalf Impersonating large groups of users simultaneously Anonymous & globally proxied attacks Distributed attacks & federated problem solving Efficient brute-forcing technologies 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 7

8 Why target Web applications? Web applications are where the money is Online Banking Funds transfers and money laundering Online Shopping Purchase fraud, money laundering and supply chain News/Information Portals SEO attacks, money market manipulation & recruitment Joe s Boring Page Infection & recruitment vectors and PII fire-sale 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 8

9 Learning from Online Banking Vulnerabilities in the Web banking application are more than code injection vectors and authentication bypasses Poor application flow and a complex user experience are the bread & butter of today s criminal exploitation of Web banking applications 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 9

10 5/14/2009 Targeted Protection Against Targeted Attacks 10

11 Application Complexity How many steps must the user go through? How do they know if a new step has been introduced? How are error messages handled? What gets in the way of just doing it? 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 11

12 5/14/2009 Targeted Protection Against Targeted Attacks 12

13 Tools that speed up the defacement process Not necessarily targeted Defacement submissions Commercial Web defacement 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 13

probability for successful injection * Reverse domain name resolution * etc.

14 SQL Injection Attack Tools * Automatic page-rank verification * Search engine integration for finding vulnerable sites * Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc. 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 14

15 5/14/2009 Targeted Protection Against Targeted Attacks 15

Keylogger Creators The Rat! popular keylogger creator kit Keylogger on demand or zero-day keylogger Prices in WebMoney (WMZ) The Rat! 7.0XP - 29 WMZ The Rat! 6.0XP/6.1-22 WMZ The Rat! 5.

16 Keylogger Creators The Rat! popular keylogger creator kit Keylogger on demand or zero-day keylogger Prices in WebMoney (WMZ) The Rat! 7.0XP - 29 WMZ The Rat! 6.0XP/ WMZ The Rat! 5.8XP - 15 WMZ The Rat! 5.5XP - 13 WMZ The Rat! 5.0XP - 9 WMZ The Rat! 4.0XP - 8 WMZ The Rat! 3.xx - 7 WMZ The Rat! 2.xx - 6 WMZ 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 16

VirtualPC, Symantec Sandbox, Virtual Box etc.

17 Malware creator kits Shark 3 (Jan 08) Remote Administration Tool RAT Added anti-debugger capabilities VmWare, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box etc. 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 17

18 Trojan Creator Kits Constructor/Turkojan V.4 New features Remote Desktop Webcam Streaming Audio Streaming Remote passwords MSN Sniffer Remote Shell Advanced File Manager Online & Offline keylogger Information about remote computer Etc.. 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 18

Hire-a-Malware-Coder (Custom Build) Platform: software running on MAC OS to Windows Multitasking: have the capacity to work on multiple projects Speed and

starting from 100 euros I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000

19 Hire-a-Malware-Coder (Custom Build) Platform: software running on MAC OS to Windows Multitasking: have the capacity to work on multiple projects Speed and responsibility: at the highest level Pre-payment for new customers: 50% of the whole price, 30% pre-pay of the whole price for repeated customers Rates: starting from 100 euros I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000 infected hosts because I don't have time to play around with me bot right now. 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 19

Hire-a-malware-coder Pricing Other models exist for hire-a-malware-coder pricing Component/functionality based pricing Loader 300 FTP & Grabber 150 Assembler Spam bases 220 Socks 4/5 70 Botnet

20 Hire-a-malware-coder Pricing Other models exist for hire-a-malware-coder pricing Component/functionality based pricing Loader 300 FTP & Grabber 150 Assembler Spam bases 220 Socks 4/5 70 Botnet manager 600 Scripts 70 Assembler password stealers (IE, MSN, etc.) 70 AV-remover 70 Screen-grabber 70 Rules / License -- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me -- Customer does not have the right to make any decompile, research, malicious modification of any three parts -- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries. -- For violating the rules - without any license denial manibekov and further conversations" 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 20

21 5/14/2009 Targeted Protection Against Targeted Attacks 21

Traditional Malware Operates and intercepts data at points through which the Web browser must communicate TCP/IP Stack Interception

22 Intercepting Traffic Man-in-thebrowser Man-in-the-browser Malware hooks inside the Web browser System Reconfiguration DNS Settings, Local HOST file, Routing tables, WPAD and Proxy settings Trojan Application Local Proxy Agent OS Hooking Keyloggers, Screen grabber Traditional Malware Operates and intercepts data at points through which the Web browser must communicate TCP/IP Stack Interception Packet inspection, pre/post SSL logging 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 22

WinInet httpsendrequest(), navigateto() Manipulate Copy, redirect, script, change, insert, sell.

23 API Hooking Malware Clean System Application The Web browser Infected System Application The Web browser WinInet httpsendrequest(), navigateto() Winsock TCP/IP stack Malware Proxying Web browser data. WinInet httpsendrequest(), navigateto() Manipulate Copy, redirect, script, change, insert, sell. Internet Winsock TCP/IP stack Internet 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 23

MITB Grabbing Login Credentials Steal login credentials, and ask for more Pre-login First page of login sequence is manipulated Login Multiple fields & pages added to the login sequence

security questions SSN, mothers maiden name, address, home phone number, mobile/cell phone number Type in all numbers of one-time-keypad scratch-card Change password for anti-keylogging

24 MITB Grabbing Login Credentials Steal login credentials, and ask for more Pre-login First page of login sequence is manipulated Login Multiple fields & pages added to the login sequence Post-login Authenticated user asked additional security questions Requests for additional data are easy to socially engineer Ask for credit/debit card details, including PIN and CVV Additional security questions SSN, mothers maiden name, address, home phone number, mobile/cell phone number Type in all numbers of one-time-keypad scratch-card Change password for anti-keylogging partial-password systems Test or resynchronize password/transaction calculators SSL/TLS encryption bypassed, padlock intact 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 24

25 5/14/2009 Targeted Protection Against Targeted Attacks 25

26 Traditional Banking Malware Focused on stealing login information Bank number, UID, password(s), session keys Techniques include: Keylogging, screen-grabbing, video-recording of mouse movements Redirection to counterfeit site (domain/host substitution) Replacement and pop-up windows Session hijacking (duplicating session cookies) Screen overlays (superimposed counterfeit web forms) 5/14/2009 OWASP 2009 Europe - Factoring Malware and Organized Crime in to Webapp Security 26

MITB Grabbing Login Credentials

MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,